I still have some contacts into the UCSD computer science department
from when I was doing my PhD. If we had a stated security model, it
might be worth asking whether any students are interested in reviewing it.
On 2/15/2017 3:07 AM, Michał Kłeczek wrote:
Reviewing just the source code without any high level overview and
explanation how and why it is implemented in a particular way
is difficult (if possible at all).
That is why it would be really helpful if the questions asked were
answered.
Not only researchers are interested - also potential users and
contributors.
Thanks,
Michal
Peter wrote:
I can't make any guarantee that it is secure, but the more people
review it, the more likelihood bugs and flaws will be identified.
I'm especially interested in security researchers checking it out if
they're interested.
Cheers,
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: Michał Kłeczek<mic...@kleczek.org>
Sent: 15/02/2017 08:04:39 pm
To: dev@river.apache.org
Subject: Re: deserialization remote invocation strategy
The code actually does what I've described above, but don't take my
word for it, check it for youself. :)
If you disagree, don't use it.
It works the other way around - before I decide to use it - I have to
understand how it works.
Even more so if we are talking about security.
That is why I consider scrutiny and questioning a Good Thing in this
context.
"Check for yourself" is not an encouraging advice in the area of
security :)
Cheers,
Michal
